Note: The term “RBL” is commonly used to describe DNS Black Lists (DNSBLs), but it’s a trademark of Mail Abuse Prevention System (MAPS), one of the first RBLs. It was acquired by Trend Micro in 2005. Exchange Server 2007 uses the term IP Block List Provider.

When connections from IP addresses listed on the Global Deny List are dropped, you don’t find any traces of those dropped connections in SMTP logs [for more details about SMTP logging in Exchange Server 2003, read previous post “Logging SMTP protocol activity“].This is understandable — the IP addresses are explicitly added to the deny list by an administrator, and a SMTP session is never initiated. It’s not as important to log these (though many would prefer to capture information about connections so blocked). If in doubt about which hosts are getting blocked, all one needs to do is look at this list.

When it comes to DNSBLs, the behavior is different. Connections are not dropped. Messages are dropped on RCPT TO command. This allows you to receive mail for addresses on the Exception List. RFC 2821 requires senders to be able to contact the postmaster of a domain. You can also add some of the generic addresses from your domain to the Exception List if you don’t want email to these addresses blocked.

Here’s a demo of the SMTP session. As seen in the session, the sending host gets a 550 5.7.1 error code because the IP address is listed on a DNSBL, and the recipient (in the RCPT TO command) is not listed on the Exception List.

SMTP logs the response code 550, but not the enhanced status code 5.7.1. Having said that, this enhanced status code doesn’t by itself allow you to narrow it down to DNSBLs.

Connection Filtering in Exchange 2007/2010

Exchange Server 2007’s Connection Filtering agent behaves differently – connections from IP addresses explicitly listed in the IP Block List (equivalent of the Global Deny List in Exchange Server 2003) are not blocked. This change in behavior allows such connections to be logged. Antispam agent logs provide detailed information about why a message was accepted or rejected by anti-spam agents. See Exchange Server 2007: Managing And Filtering Anti-Spam Agent Logs for more information about agent logs.

One example of the kind of reporting/troubleshooting capabilities this change in behavior, the logging capabilities and the Shell provide: you can search the agent logs for messages blocked by Connection Filtering agent based on DNSBL lookups. This example searches the agent logs for messages blocked from 7/27/2007 with the reason BlockListProvider: